Overview
Web applications face relentless attacks from malicious actors seeking to exploit common vulnerabilities. Understanding these attack vectors isn't just for security specialists - every developer, tester and architect needs to know how their applications can be compromised and how to prevent it.
This intensive workshop provides a comprehensive exploration of web application security through the lens of the OWASP Top 10: the industry-standard catalogue of the most critical security risks facing web applications. Through a combination of theory, hands-on exploitation exercises and threat modelling, participants will gain both offensive and defensive security skills.
By the end of this workshop, you'll understand how attackers think, what they look for and how to build applications that resist common attacks. We emphasise learning by doing: you'll exploit vulnerable applications in safe environments, then apply threat modelling techniques to systematically identify and mitigate vulnerabilities in your own systems. The goal is to shift security thinking from a checkbox activity to a fundamental part of your development mindset.
Outline
Introduction to web application security
- The current threat landscape: real-world breach consequences and their business impact
- Understanding the attacker mindset and motivation
- Common misconceptions about application security
- The shared responsibility model: why security is everyone's job
- Regulatory considerations: GDPR, data protection frameworks and compliance requirements
- Introduction to the OWASP Top 10 and its role in the security community
Security fundamentals and architecture
- Understanding web application architecture from a security perspective
- Trust boundaries, defence in depth and the principle of least privilege
- Security by design principles and common architectural security layers
- The difference between secure design and secure implementation
Introduction to threat modelling
- Why threat modelling matters and who should do it
- The threat modelling process: from architecture to mitigation
- Creating Data Flow Diagrams for your applications
- The STRIDE model for systematic vulnerability identification
- Building security requirements from threat models
- Integrating threat modelling into your development workflow
The OWASP Top 10 vulnerabilities
For each vulnerability, you'll understand how attackers discover and exploit weaknesses, then apply threat modelling techniques to systematically identify and mitigate these risks in your own applications. Through hands-on exercises, you will be working with vulnerable systems to gain practical experience of both offensive and defensive security, exploiting and mitigating each of the OWASP Top 10 vulnerabilities.
Security testing and validation
- Introduction to industry-standard tools such as Burp Suite, OWASP ZAP and others
- Balancing automated vulnerability scanning with manual testing techniques
- Writing effective security test cases from threat models
- Integrating security testing into CI/CD pipelines
- The CVE and CWE process for tracking and addressing known vulnerabilities
Building a Security-First culture
- Security as a shared team responsibility
- Code review and design thinking with a security mindset
- Security champions and knowledge sharing within teams
- Staying current with emerging threats and vulnerabilities
Requirements
This course is designed for developers, testers, architects and technical leaders at all levels. No prior security experience is required, though participants should have at least 6 months of experience building or testing web applications.
The course is a mixture of demonstrations, hands-on practicals and threat modelling work. Participants will work both individually and in teams throughout the workshop. A laptop capable of running a web browser and connecting to virtual machines is required.
This workshop can be tailored to 2 or 3 days depending on your team's needs and existing security knowledge. The course can be delivered using any modern programming language.
If you require more in-depth cloud security content, please see our Cloud Security with Threat Modelling course.